Secure public cloud with protected guest-verified host control

US 10,628,612 B2
Filed: 03/25/2019
Issued: 04/21/2020
Est. Priority Date: 08/11/2016
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

a processor; and

a memory coupled to the processor;

whereinthe processor is to execute an untrusted host virtual machine monitor (VMM) to manage execution by the processor of at least one guest virtual machine (VM);

the untrusted host VMM is to cause the processor to create a key domain, the first key domain comprising a region of the memory to be encrypted by a key domain key that is inaccessible to the untrusted host VMM;

the processor is to receive an encrypted key domain key and decrypt the encrypted key domain key to produce the key domain key;

the untrusted host VMM is to cause the processor to launch a first guest VM within the key domain, wherein to launch the first guest VM within the key domain comprises switching to the key domain, decrypting at least part of an encrypted domain image to produce a guest control structure containing guest processor state information and to produce a guest code image, and executing the guest code image within the key domain using the guest processor state information from the guest control structure; and

the untrusted host VMM is to cause the processor to launch a second guest VM within the key domain, the second guest VM to provide an agent to act on behalf of the untrusted host VMM within the key domain, wherein to launch the second guest VM within the key domain comprises switching to the key domain, decrypting at least part of the encrypted domain image to produce an agent code image and to produce an agent control structure containing agent processor state information, and executing the agent code image within the key domain using the agent processor state information.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a method comprises executing an untrusted host virtual machine monitor (VMM) to manage execution of at least one guest virtual machine (VM). The VMM receives an encrypted key domain key, an encrypted guest code image, and an encrypted guest control structure. The VM also issues a create command. In response, a processor creates a first key domain comprising a region of memory to be encrypted by a key domain key. The encrypted key domain key is decrypted to produce the key domain key, which is inaccessible to the VMM. The VMM issues a launch command. In response, a first guest VM is launched within the first key domain. In response to a second launch command, a second guest VM is launched within the first key domain. The second guest VM provides an agent to act on behalf of the VMM. Other embodiments are described and claimed.

Citations

23 Claims

1. An apparatus comprising:
- a processor; and
  
  a memory coupled to the processor;
  
  whereinthe processor is to execute an untrusted host virtual machine monitor (VMM) to manage execution by the processor of at least one guest virtual machine (VM);
  
  the untrusted host VMM is to cause the processor to create a key domain, the first key domain comprising a region of the memory to be encrypted by a key domain key that is inaccessible to the untrusted host VMM;
  
  the processor is to receive an encrypted key domain key and decrypt the encrypted key domain key to produce the key domain key;
  
  the untrusted host VMM is to cause the processor to launch a first guest VM within the key domain, wherein to launch the first guest VM within the key domain comprises switching to the key domain, decrypting at least part of an encrypted domain image to produce a guest control structure containing guest processor state information and to produce a guest code image, and executing the guest code image within the key domain using the guest processor state information from the guest control structure; and
  
  the untrusted host VMM is to cause the processor to launch a second guest VM within the key domain, the second guest VM to provide an agent to act on behalf of the untrusted host VMM within the key domain, wherein to launch the second guest VM within the key domain comprises switching to the key domain, decrypting at least part of the encrypted domain image to produce an agent code image and to produce an agent control structure containing agent processor state information, and executing the agent code image within the key domain using the agent processor state information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The apparatus of claim 1, whereinin response to an event triggering an exit condition of the first guest VM, the processor is to switch out of the key domain.
  - 3. The apparatus of claim 2, whereinthe guest control structure specifies a protected location of the memory where the processor may store additional guest processor state information for the first guest VM;
    - in response to the event triggering the exit condition of the first guest VM, the processor is to save the additional guest processor state information for the first guest VM in the protected location of the memory; and
      
      after the event triggering the exit condition has been handled, the untrusted host VMM is to cause the processor to resume the first guest VM, wherein resuming the first guest VM comprises switching to the key domain, retrieving the additional guest processor state information for the first guest VM from the protected location of the memory, and executing the guest code image within the key domain using the additional guest processor state information.
  - 4. The apparatus of claim 3, whereinthe guest code image comprises interrupt handler code to intercept an interrupt;
    - the processor is to convert the exit condition of the first guest VM to an exception;
      
      the guest code image is to save processor register information to the protected location of the memory in response to at least one of the interrupt and the exception;
      
      the guest code image is to clear a first processor register if the first processor register is not needed by the untrusted host VMM;
      
      the guest code image is to conditionally expose a second processor register if the second processor register is needed by the untrusted host VMM;
      
      the guest code image is to invoke the untrusted host VMM; and
      
      the first guest VM is to exit when the untrusted host VMM is invoked.
  - 5. The apparatus of claim 3, whereinthe untrusted host VMM is to receive an encrypted updated guest control structure, install the encrypted updated guest control structure in the memory, and verify the encrypted updated guest control structure;
    - the processor is to decrypt the encrypted updated guest control structure to produce an updated guest control structure; and
      
      in response to verifying the encrypted updated guest control structure, the untrusted host VMM is to cause the processor to enter the first guest VM using the updated guest control structure.
  - 6. The apparatus of claim 5, whereinthe untrusted host VMM is further to receive an encrypted updated guest code image and to install the encrypted updated guest code image in the memory;
    - the processor is to decrypt the encrypted updated guest code image update to produce an updated guest code image; and
      
      the processor is to enter the first guest VM by executing the updated guest code image using the updated guest control structure.
  - 7. The apparatus of claim 3, whereinthe untrusted host VMM is to determine whether a change to the guest control structure is needed;
    - the first guest VM is to verify that the change to the guest control structure does not compromise security of the first guest VM;
      
      the first guest VM is to produce an encrypted updated guest control structure incorporating the change using the key domain key; and
      
      the first guest VM is to send the encrypted updated guest control structure to the untrusted host VMM via a shared region of the memory shared by the untrusted host VMM and the first guest VM.
  - 8. The apparatus of claim 7, whereinthe untrusted host VMM is to install the encrypted updated guest control structure in the memory;
    - the untrusted host VMM is to verify the encrypted updated guest control structure;
      
      the processor is to decrypt the encrypted updated guest control structure to produce an updated guest control structure; and
      
      in response to verifying the encrypted updated guest control structure, the untrusted host VMM is to cause the processor to enter the first guest VM using the updated guest control structure.
  - 9. The apparatus of claim 1, whereinthe untrusted host VMM is to communicate a request to modify the guest control structure of the first guest VM to the agent via a shared region of memory shared by the agent and the untrusted host VMM;
    - in response to reading the request from the shared region of memory, the agent is to modify the guest control structure of the first guest VM within the key domain to produce a modified guest control structure of the first guest VM;
      
      the untrusted host VMM is to verify the modified guest control structure of the first guest VM;
      
      in response to verifying the modified guest control structure, the untrusted host VMM is to cause the processor to enter the first guest VM and execute the guest code image within the key domain using the modified guest control structure.
  - 10. The apparatus of claim 1, whereinthe encrypted domain image comprises an encrypted version of the guest control structure;
    - andthe processor is to confirm integrity of the encrypted version of the guest control structure.

11. A processor to:
- execute an untrusted host virtual machine monitor (VMM) to manage execution by the processor of at least one guest virtual machine (VM);
  
  create a key domain in response to a first command issued by the untrusted host VMM, the key domain comprising a region of a memory to be encrypted by a key domain key that is inaccessible to the untrusted host VMM;
  
  decrypt an encrypted key domain key to produce the key domain key;
  
  launch a first guest VM within the key domain in response to a second command issued by the untrusted host VMM, wherein to launch the first guest VM within the key domain comprises to;
  
  switch to the key domain,decrypt at least part of an encrypted domain image to produce a guest control structure containing guest processor state information and to produce a guest code image, andexecute the guest code image within the key domain using the guest processor state information from the guest control structure; and
  
  in response to a third command issued by the untrusted host VMM, to launch a second guest VM within the key domain, the second guest VM to provide an agent to act on behalf of the untrusted host VMM within the key domain, wherein to launch the second guest VM within the key domain comprises to;
  
  switch to the key domain,decrypt at least part of the encrypted domain image to produce an agent code image and to produce an agent control structure containing agent processor state information, andexecute the agent code image within the key domain using the agent processor state information.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The processor of claim 11, wherein the processor is further to:
    - switch out of the key domain in response to an event triggering an exit condition of the first guest VM.
  - 13. The processor of claim 12, whereinthe guest control structure specifies a protected location of the memory where the processor may store additional guest processor state information for the first guest VM;
    - andthe processor is further to;
      
      save the additional guest processor state information for the first guest VM in the protected location of the memory in response to the event triggering the exit condition of the first guest VM; and
      
      resume the first guest VM after the event triggering the exit condition has been handled, wherein to resume the first guest VM comprises to;
      
      switch to the key domain,retrieve the additional guest processor state information for the first guest VM from the protected location of the memory, andexecute the guest code image within the key domain using the additional guest processor state information.
  - 14. The processor of claim 11, wherein the processor is further to:
    - decrypt an encrypted updated guest control structure to produce an updated guest control structure; and
      
      enter the first guest VM using the updated guest control structure in response to receiving a command from the untrusted host VMM to enter the first guest VM.
  - 15. The processor of claim 14, wherein the processor is further to:
    - decrypt an encrypted updated guest code image update to produce an updated guest code image; and
      
      enter the first guest VM by executing the updated guest code image using the updated guest control structure.

16. A method comprising:
- executing an untrusted host virtual machine monitor (VMM) to manage execution of at least one guest virtual machine (VM);
  
  in response to a first command from the untrusted host VMM, creating, by the processor, a key domain, the key domain comprising a region of a memory to be encrypted by a key domain key that is inaccessible to the untrusted host VMM;
  
  decrypting an encrypted key domain key to produce the key domain key;
  
  in response to a second command from the untrusted host VMM, launching a first guest VM within the key domain, wherein launching the first guest VM comprises;
  
  switching to the key domain,decrypting at least part of an encrypted domain image to produce a guest control structure containing guest processor state information and to produce a guest code image, andexecuting the guest code image within the key domain using the guest processor state information from the guest control structure; and
  
  in response to a third command issued by the untrusted host VMM, launching a second guest VM within the key domain, the second guest VM to provide an agent to act on behalf of the untrusted host VMM within the key domain, wherein launching the second guest VM within the key domain comprises;
  
  switching to the key domain,decrypting at least part of the encrypted domain image to produce an agent code image and to produce an agent control structure containing agent processor state information, andexecuting the agent code image within the key domain using the agent processor state information.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The method of claim 16, further comprising:
    - intercepting an interrupt;
      
      saving processor register information to a protected location of the memory in response to at least one of the interrupt and an exception thrown when the first guest VM causes an exit condition;
      
      clearing a first processor register if the first processor register is not needed by the untrusted host VMM;
      
      conditionally exposing a second processor register if the second processor register is needed by the untrusted host VMM;
      
      invoking the untrusted host VMM; and
      
      exiting the first guest VM when the untrusted host VMM is invoked.
  - 18. The method of claim 16, further comprising:
    - receiving an encrypted updated guest control structure, installing the encrypted updated guest control structure in the memory, and verifying the encrypted updated guest control structure;
      
      decrypting the encrypted updated guest control structure to produce an updated guest control structure; and
      
      entering the first guest VM using the updated guest control structure in response to verifying the encrypted updated guest control structure.
  - 19. The method of claim 16, further comprising:
    - determining whether a change to the guest control structure is needed;
      
      verifying, by the first guest VM, that the change to the guest control structure does not compromise security of the first guest VM;
      
      producing, by the first guest VM, an encrypted updated guest control structure incorporating the change using the key domain key; and
      
      sending, by the first guest VM, the encrypted updated guest control structure to the untrusted host VMM via a shared region of the memory shared by the untrusted host VMM and the first guest VM.
  - 20. The method of claim 19, further comprising:
    - installing the encrypted updated guest control structure in the memory;
      
      verifying the encrypted updated guest control structure;
      
      decrypting the encrypted updated guest control structure to produce an updated guest control structure; and
      
      entering the first guest VM using the updated guest control structure in response to verifying the encrypted updated guest control structure.
  - 21. The method of claim 16, further comprising:
    - verifying the agent control structure included within the encrypted domain image.
  - 22. The method of claim 21, further comprising:
    - communicating a request to modify the guest control structure of the first guest VM to the agent via a shared region of memory shared by the agent and the by the untrusted host VMM;
      
      modifying, by the agent, the guest control structure of the first guest VM within the first key domain to produce a modified guest control structure of the first guest VM in response to reading the request from the shared region of memory;
      
      verifying, by the untrusted host VMM, the modified guest control structure of the first guest VM; and
      
      entering the first guest VM and executing the guest code image within the key domain using the modified guest control structure in response to verifying the modified guest control structure.
  - 23. At least one non-transitory computer-readable medium comprising instructions that, when executed by a processor of a computer, enable the computer to perform the method of claim 16.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Durham, David M., Neiger, Gilbert, Huntley, Barry E., Sahita, Ravi L., Patel, Baiju V.
Primary Examiner(s)
Dada, Beemnet W

Application Number

US16/362,887
Publication Number

US 20190220625A1
Time in Patent Office

393 Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/1441   for a range

G06F 2009/45579   I/O management, e.g. provid...

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/57   Certifying or maintaining t...

G06F 21/71   to assure secure computing ...

G06F 21/78   to assure secure storage of...

G06F 2212/402   Encrypted data

G06F 2221/2149   Restricted operating enviro...

G06F 8/63   Image based installation; C...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

H04L 9/0822   using key encryption key

Secure public cloud with protected guest-verified host control

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Secure public cloud with protected guest-verified host control

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links